US12457098B2ActiveUtilityA1

SPDM-based firmware protection system and method

58
Assignee: DELL PRODUCTS LPPriority: Feb 24, 2023Filed: Feb 24, 2023Granted: Oct 28, 2025
Est. expiryFeb 24, 2043(~16.6 yrs left)· nominal 20-yr term from priority
H04L 9/0869H04L 9/3263H04L 9/0825
58
PatentIndex Score
0
Cited by
2
References
19
Claims

Abstract

According to embodiments of the present disclosure, a Security Protocol and Data Model (SPDM)-enabled device uses a device identity to provide, among other things, a SPDM-based firmware protection system and method that, upon execution by computer-readable instructions, receive, from a requesting device, a request to update the SPDM-enabled device with a software package, and obtain the software package from an online portal. The computer-readable instructions further encrypt the software package with an encryption key, encrypt the encryption key with a device identity certificate of the requesting device, and send the encrypted software package and encrypted encryption key to the requesting device.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. An Information Handling System (IHS) comprising:
 a Security Protocol and Data Model (SPDM)-enabled device conforming to a SPDM specification; and 
 at least one memory coupled to at least one processor, the at least one memory having
 program instructions stored thereon that, upon execution by the at least one processor, cause the IHS to: 
 
 receive, from a requesting device, a request to update the SPDM-enabled device 
 with a software package; 
 obtain the software package from an online portal; 
 encrypt the software package with an encryption key; 
 encrypt the encryption key with a device identity certificate of the requesting device; and 
 send the encrypted software package and encrypted encryption key to the requesting device; 
 wherein the request includes the device identity certificate, and wherein the device identity certificate conforms to a data structure as specified by the SPDM specification. 
 
     
     
       2. The IHS of  claim 1 , wherein the requesting device comprises a Baseboard Management Controller (BMC) configured in the IHS. 
     
     
       3. The IHS of  claim 2 , wherein the program instructions, upon execution, further cause the IHS to:
 receive the encrypted software package and encrypted encryption key; 
 decrypt the encryption key with a private key corresponding to the device identity certificate of the requesting device; 
 decrypt the software package with the encryption key; and 
 update the SPDM-enabled device with the software package. 
 
     
     
       4. The IHS of  claim 3 , wherein the instructions are performed in a data center, and the BMC is located in the data center. 
     
     
       5. The IHS of  claim 3 , wherein the instructions are performed in the same IHS that the BMC is configured in. 
     
     
       6. The IHS of  claim 1 , wherein the program instructions, upon execution, further cause the IHS to obtain the device identity certificate from slot 0 of the data structure. 
     
     
       7. The IHS of  claim 1 , wherein the encryption key comprises a random encryption key. 
     
     
       8. The IHS of  claim 1 , wherein the online portal is managed by a vendor of the IHS. 
     
     
       9. A SPDM-based firmware protection method comprising:
 receiving, from a requesting device, a request to update a Security Protocol and Data
 Model (SPDM)-enabled device with a software package, the SPDM-enabled 
 device conforming to a SPDM specification; 
 obtaining the software package from an online portal; 
 encrypting the software package with an encryption key; 
 encrypting the encryption key with a device identity certificate of the requesting device; and 
 sending the encrypted software package and encrypted encryption key to the requesting device; 
 wherein the request includes the device identity certificate, and wherein the device identity certificate conforms to a data structure as specified by the SPDM specification. 
 
 
     
     
       10. The SPDM-based firmware protection method of  claim 9 , wherein the requesting device comprises a Baseboard Management Controller (BMC) configured in an Information Handling System (IHS), and wherein the SPDM-based firmware protection method further comprises:
 receiving, by the BMC, the encrypted software package and encrypted encryption key; 
 decrypting, by the BMC, the encryption key with the device identity certificate of the requesting device; 
 decrypting, by the BMC, the software package with the encryption key; and 
 updating, by the BMC, the SPDM-enabled device with the software package. 
 
     
     
       11. The SPDM-based firmware protection method of  claim 10 , performing the instructions wherein the SPDM-based firmware protection method is performed in a data center, and the BMC is located in the data center. 
     
     
       12. The SPDM-based firmware protection method of  claim 10 , further comprising performing the instructions wherein the SPDM-based firmware protection method is performed in the same IHS that the BMC is configured in. 
     
     
       13. The SPDM-based firmware protection method of  claim 10 , wherein the request includes the device identity certificate, wherein the device identity certificate conforms to a data structure as specified by the SPDM specification, and wherein the program instructions, upon execution, further cause the IHS to obtain comprising obtaining the device identity certificate from slot 0 of the data structure. 
     
     
       14. The SPDM-based firmware protection method of  claim 9 , wherein the encryption key comprises a random encryption key. 
     
     
       15. The SPDM-based firmware protection method of  claim 10 , wherein the online portal is managed by a vendor of the IHS. 
     
     
       16. A computer program product comprising a computer readable storage medium having program instructions stored thereon that, upon execution by an Information Handling System (IHS), cause the IHS to:
 receive, from a requesting device, a request to update a Security Protocol and Data Model (SPDM)-enabled device with a software package, the SPDM-enabled device conforming to a SPDM specification; 
 obtain the software package from an online portal; 
 encrypt the software package with an encryption key; 
 encrypt the encryption key with a device identity certificate of the requesting device; and 
 send the encrypted software package and encrypted encryption key to the requesting device; 
 wherein the request includes the device identity certificate, and wherein the device identity certificate conforms to a data structure as specified by the SPDM specification. 
 
     
     
       17. The computer program product of  claim 16 , wherein the requesting device comprises a Baseboard Management Controller (BMC) configured in the IHS, and wherein the program instructions, upon execution, further cause each of the BMC to:
 receive the encrypted software package and encrypted encryption key; 
 decrypt the encryption key with a private key corresponding to the device identity certificate of the requesting device; 
 decrypt the software package with the encryption key; and 
 update the SPDM-enabled device with the software package. 
 
     
     
       18. The computer program product of  claim 17 , wherein the instructions are performed in a data center, and the BMC is located in the data center. 
     
     
       19. The computer program product of  claim 17 , wherein the instructions are performed in the same IHS that the BMC is configured in.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.